Boeing Research & Technology

P.O. Box 3707 Seattle WA 98124 USA fltemplin@acm.org

I-D Internet-Draft On some IPv6 links, clients may have a reasonable expectation that routers on the link would be willing to support DHCPv6 address/prefix delegation services without the need to first examine the M/O bits in a received Router Advertisement (RA) message. Such clients should therefore be capable of invoking the IPv6 Neighbor Discovery (IPv6ND) router discovery and Dynamic Host Configuration Protocol for IPv6 (DHCPv6) address/prefix delegation services in a single message exchange instead of multiple. This document specifies a new IPv6ND option termed the "DHCPv6ND Option" that supports both functions in a single message exchange.

On some IPv6 links, clients may have a reasonable expectation that routers on the link would be willing to support DHCPv6 address/prefix delegation services without the need to first examine the M/O bits in a received Router Advertisement (RA) message. Such clients should therefore be capable of invoking the IPv6 Neighbor Discovery (IPv6ND) router discovery and Dynamic Host Configuration Protocol for IPv6 (DHCPv6) address/prefix delegation services in a single message exchange instead of multiple. This document specifies a new IPv6ND option termed the "DHCPv6ND Option" that supports both functions in a single message exchange.

The IPv6ND specification defines the protocol, message formats and option types for operation of the IPv6 protocol over all manners of links. Routers on the link send Router Advertisement (RA) messages to a link-scoped multicast address allowing clients to detect their presence. After examining the M/O bits in a received RA, a client can then invoke DHCPv6 services and/or StateLess Address AutoConfiguration (SLAAC) procedures to obtain IPv6 addresses. (In some environments, the DHCPv6 Prefix Delegation (PD) service may also be available to satisfy client needs.) This document concerns a service in which clients may send immediate Router Solicitation (RS) messages to invoke timely RA responses from routers on the link, i.e., whether or not an unsolicited multicast RA is also received. If the clients are further aware in advance that routers on the link would be willing to provide DHCPv6 address/prefix delegation services, it would be beneficial if the RS/RA message exchanges themselves could also convey DHCPv6 parameters. This would not only reduce message overhead but also reduce the attack surface since all operations are conducted in a single (secured) message exchange. This document specifies a DHCPv6 option for IPv6 Neighbor Discovery ("DHCPv6ND") with the following format:

In this format "Type" is assigned an integer IPv6 ND option type value "TBD" (see: IANA Considerations), "Length" is the length of the option in units of 8 octets and the remainder of the option is a standard-format DHCPv6 message per . The DHCPv6 message begins with a 1-octet msg-type followed by a 3-octet transaction-id and ends with a variable length concatenation of DHCPv6 options. Null Padding is added following the end of the DHCPv6 options if necessary to ensure 8-octet alignment. In a reference use case, when a client on the link wishes to invoke the combined services without necessarily waiting to receive an RA, it can send an RS message containing a DHCPv6ND Option. The DHCPv6 message will typically include a request for address and/or prefix delegations plus a Rapid Commit option. Upon receiving the RS message, one or more routers on the link that are willing to provide DHCPv6 services convey the DHCPv6 message to a nearby DHCPv6 server, e.g., via a loopback interface on the local node. When the DHCPv6 server responds, the router encapsulates the DHCPv6 response in an RA message DHCPv6ND option and sends the RA message to the unicast address of the client. It is important to understand that multiple routers on the link may send independent RA responses to a single RS message. The client should process the union of all DHCPv6 information received in RAs (keeping track of their respective routers of origin) and either accept or decline any offered addresses or prefixes. Following an initial RS/RA exchange when a router successfully delivers DHCPv6 delegations to a client, the client is responsible for refreshing lease lifetimes prior to their expiration. For this purpose, the client can either initiate another RS/RA exchange (e.g., if parameters such as router or prefix lifetimes are also nearing expiration) or include a DHCPv6ND option in a Neighbor Solicitation (NS) message prepared according to Neighbor Unreachability Detection (NUD) procedures. When the router receives the NS message, it processes the DHCPv6ND option and returns a Neighbor Advertisement (NA) message that also includes a responsive DHCPv6ND option. Note that it is not an error for a router that either does not recognize the option or cannot provide the requested service to return an NA/RA with a DHCPv6ND Option containing a negative response or no DHCPv6ND Option at all. The client can then attempt to obtain DHCPv6 services via another router on the link. However, routers SHOULD NOT return a DHCPv6 Option response in an NA/RA message sent to a multicast address, and clients MUST ignore a DHCPv6 Option response in a multicast NA/RA.

In progress.

The IANA is instructed to allocate a new entry in the "IPv6 Neighbor Discovery Option Formats" table of the "icmpv6-parameters" registry. The entry should set "Type" to TBD, "Description" to "DHCPv6ND option" and "Reference" to "[RFCXXXX]" (i.e., this document). IANA Registration procedures are "RFC Required".

By combining the IPv6 ND router discovery and DHCPv6 managed address delegation procedures in a single RS/RA message exchange, the attack surface for the service is reduced since only the RS and RA messages need to be secured. The DHCPv6ND option may appear in RS/RA or NS/NA messages for initial delegations or lease extensions. The option must be ignored if it appears in a Redirect message. When link or physical-layer security services are absent or inadequate, network layer securing services for IPv6ND messages that contain the DHCPv6ND option should be applied to ensure integrity and authorization. Nodes that do not recognize the DHCPv6ND option in the ND messages they process ignore the option and process any other recognized options present. This supports operation on links with a "mixed" set of clients and routers, where some recognize and process the option while others ignore it.

This work was inspired by continued investigations into 5G MANET operations in cooperation with the Virginia Tech National Security Institute (VTNSI). Honoring life, liberty and the pursuit of happiness.

<< RFC Editor - remove prior to publication >> Differences from earlier versions: Clarifications based on list input. Include support for NS/NA/RS/RA. IANA Considerations and Security Considerations. First draft publication.